Sign in with
Sign up | Sign in
Your question
Solved

AV7 Registry Value and AV7 in Startup Menu

Last response: in Windows XP
Share
April 15, 2010 12:52:31 AM

Hello, My system was invaded by AV7... malware. I removed the malware program from the registry and from the harddrive. Still, I cannot remove the value from the registry or startup menu. It restores after deletion. I don't think it is affecting my system, but would it be good to remove it entirely? If so, how?

Best solution

April 15, 2010 1:00:36 AM

Hi goedel,

Start with this:

Restart your computer in 'Safe Mode with Networking Support'.
(To do this: Power on your computer and start tapping the F8 key at the top of your keyboard rapidly until the Windows Start Menu appears. Then select the Safe Mode with Networking Support menu option and press the Enter key)

Open your web browser and go to www.malwarebytes.org

Download their free malwarebytes program from their main page

Install the program on your computer and run it.

Update the Malwarebytes program and do a full scan.
(You may be asked to restart. Do so, but use F8 key to return to Safe Mode)

Let us know the results of the scan and whether or not any symptoms persist and we will troubleshoot deeper.

Cheers!
Share
April 16, 2010 1:54:01 AM

digitalprospecter said:
Hi goedel,

Start with this:

Restart your computer in 'Safe Mode with Networking Support'.
(To do this: Power on your computer and start tapping the F8 key at the top of your keyboard rapidly until the Windows Start Menu appears. Then select the Safe Mode with Networking Support menu option and press the Enter key)

Open your web browser and go to www.malwarebytes.org

Download their free malwarebytes program from their main page

Install the program on your computer and run it.

Update the Malwarebytes program and do a full scan.
(You may be asked to restart. Do so, but use F8 key to return to Safe Mode)

Let us know the results of the scan and whether or not any symptoms persist and we will troubleshoot deeper.

Cheers!


Hi, Thanks for your suggestion. Right now, my inclination is to let the AV7 values remain in my registry. The malware program "antivirus7.exe" seems to be gone from my computer. I deleted it where I found it, possibly in Program Files. Also, I deleted it from the registry values AV7 as data and substitutied (value not set), which seems harmless enough.

Your prescription will take more time, and since I do not seem to have a further problem I shall put it on hold. I do look at my running processes in Task Manager to see if I can identify a process that was inserted by AV7; so far none has been identified.

Thanks for your help. If I discover anything new, I'll pass it on. Meanwhile, anyone else with an AV7 problem can do what I have done: delete "antivirus7.exe" wherever it is found on the harddrive and in the registry. Where AV7 is a registry value, enter (value not set) for the data and forget about it.
m
0
l
April 16, 2010 1:59:58 AM

Malware can spread to other files. You may have deleted some or all of it, but I would follow digitalprospector's suggestion to verify. It's relatively painless, and can save you further headache down the road.
m
0
l
April 16, 2010 2:44:45 AM

Thanks for the warning, aford10.

If I see any sign of AV7 mischief, I'll follow the Rx.

m
0
l
April 16, 2010 2:47:02 AM

Best answer selected by goedel.
m
0
l
April 16, 2010 3:21:46 AM

Glad to hear your computer is running better, but keep and eye on it.

You could also run ccleaner from http://www.piriform.com/products as this is a quick, safe, and easy way to clean your registry of orphaned registry entries from your deletions.

Cheers!
m
0
l
April 16, 2010 3:47:03 AM

aford10 said:
Malware can spread to other files. You may have deleted some or all of it, but I would follow digitalprospector's suggestion to verify. It's relatively painless, and can save you further headache down the road.


OK, I changed my mind and followed the Rx. The downloaded malware hunter found two "problems" on the quick scan. I decided not to "fix" them. Instead, I saved the errors in a file, and restarted my system in a normal startup.

After starting up, I went to the saved file and printed the two registry keys that were described as "Trojan.FakeAlert" by the downloaded software. One key was in HKEY_CLASSES-ROOT\CLSID\(.............); the other was in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\(...............). The characters in the two parentheses are identical hexadecimal digits. They are 32 digits long and therefore, I guess, an address. That address may contain an alert for the Explorer browser, which I hardly ever use.

I went to regedt32 and examined the two suspect keys. They appeared much like the other keys in register. The values and data associated with the keys also appeared just like the other values and data in the listings. They seemed entirely harmless to me. They did not refer to any executable files or to any other locations in the registry or in my files. Since I do not use Explorer, I decided to let them be just as they were.

If I notice any fake alerts with my Mozilla Brower, I shall delete the two entries above. Meanwhile, I'll keep the printout with my computer records.

Thanks for your interest. I hope this record helps someone.

m
0
l
April 16, 2010 3:51:32 AM

PS: Before I deleted the AV7 executable file, a fake alert was being generated.
m
0
l
April 16, 2010 3:55:23 AM

Yes, you may notice that I did not capitalize "malware hunter". I was using a generic description for it. The name of the software is Malwarebytes, as you correctly point out.
m
0
l
April 16, 2010 4:06:54 AM

I understand your caution concerning removing registry entries and if no program files were identified by malwarebytes then you are likely ok to leave the registry entries as is, but they don't have to point to actual program files to cause mischief.
You could back up your registry keys by exporting them from regedit32 before deleting them (or let Malwarebytes take them out, it really is a very conservative program).

In any event, I am glad that your computer is working better. Please consider selecting a Best Answer so that this problem is marked Solved to better identify this thread as helpful for other people with this problem.

Cheers!
m
0
l
April 16, 2010 4:09:27 AM

digitalprospecter said:
I understand your caution concerning removing registry entries and if no program files were identified by malwarebytes then you are likely ok to leave the registry entries as is, but they don't have to point to actual program files to cause mischief.
You could back up your registry keys by exporting them from regedit32 before deleting them (or let Malwarebytes take them out, it really is a very conservative program).

In any event, I am glad that your computer is working better. Please consider selecting a Best Answer so that this problem is marked Solved to better identify this thread as helpful for other people with this problem.

Cheers!


You were already selected as best answer :na: 
m
0
l
April 16, 2010 4:12:11 AM

goedel said:
Yes, you may notice that I did not capitalize "malware hunter". I was using a generic description for it. The name of the software is Malwarebytes, as you correctly point out.


I gotcha. I just wanted to make sure you were using the right program.

If you think you may have some loose registry entries now, try using ccleaner to tidy up the registry.
http://www.piriform.com/ccleaner
m
0
l
April 16, 2010 11:34:32 AM

aford10 said:
You were already selected as best answer :na: 


Totally missed that fact! That is what happens when I post after midnight! [:digitalprospecter:2]
m
0
l
April 16, 2010 12:21:43 PM

Thanks all!
m
0
l
April 16, 2010 5:32:04 PM

goedel said:
Hello, My system was invaded by AV7... malware. I removed the malware program from the registry and from the harddrive. Still, I cannot remove the value from the registry or startup menu. It restores after deletion. I don't think it is affecting my system, but would it be good to remove it entirely? If so, how?


I have received replies suggesting the use of malwarebites' scanner, which I tried.

Although the scanner seemed to find two problems, it did not find any problem related to AV7. I still find the value AV7 in my registry and cannot delete it; it reinserts. I imagine that some procedure is running that prevents the deletion of the value AV7. Otherwise, some other protection is being given to this value in my registry. I have removed the execution file associated with AV7, "antivirus7.exe". I don't believe the malware is still active, but I am not sure. This morning, one of my "MyYahoo" selections reported an error. That has not happened before. That may be a problem of the internet source rather than my system. We'll see.

m
0
l
April 16, 2010 7:05:33 PM

Sounds like we still have at least part of the malware active on your system. When you feel your ready, we can take a few more steps to remove it.

Cheers!
m
0
l
April 16, 2010 7:46:07 PM

Ready to listen to good advice, Mr Prospecter :) 
m
0
l
April 16, 2010 8:54:45 PM

Sometimes it takes several antispyware utilities to beat an infection. Malwarebytes is one of the best, but lets try another program that has been around for quite some time: Spybot (Current Version 1.6.2):

Restart your computer in 'Safe Mode with Networking Support'.
(To do this: Power on your computer and start tapping the F8 key at the top of your keyboard rapidly until the Windows Start Menu appears. Then select the Safe Mode with Networking Support menu option and press the Enter key)

Go to http://www.safer-networking.org/en/download/

Download their free Spybot program from their download page

Install the program on your computer and run it.

Update the Spybot program and do and perform a scan


After the Spybot scan is complete you can even go on to do a scan with SUPERAntiSpyware from http://www.superantispyware.com/download.html

Download, install, and update their program (unfortunately you will have to do this in Normal Startup Mode as the program will not install from Safe Mode)

Do a scan with SUPERAntiSpyware

Let us know the results! :) 

m
0
l
April 16, 2010 9:12:16 PM

Hi goedel,

I forgot to mention this little utility meant to stop the processes that support AV7.

If you run this program it should disable those infection processes and another scan with MalWareBytes should remove all traces of AV7.

A tip from the author about using rkill is that if the AV7 infection tries to stop rkill from running by fakely identifying rkill as a virus, then you should leave the warning on the screen without clicking on it and run another instance of rkill again. This should stop the infection processes.

http://download.bleepingcomputer.com/grinler/rkill.com

m
0
l
April 16, 2010 9:16:17 PM

I have Spybot; tried it; it did not notice AV7 values. After I tried Malwarebytes' and it did not find AV7, I delete it using control panel. I then had to delete its entries from my registry because its uninstall does not do that for you.

I have the impression that these cleanup programs do not inspect the processes that are shown in the taskbar. If I could pinpoint the running process that is preventing the deletion of AV7 from the registry, that could be a big leap forward.

If it is a necessary process that has been corrupted, I may be able to end it and replace it. Working in the dark, that is without a knowledge of the Window's system, I cannot end processes without causing more problems. Right now, I don't think I have an active problem and am probably just wasting time, yours and mine; but thanks!
m
0
l
April 16, 2010 9:56:38 PM

Ok. Just so we are on the same page, my impression from your earlier posts is the MalWareBytes did identify two registry entries but you tried to remove them manually instead of letting Malwarebytes take them out. These entries keep coming back.

If you haven't done so yet, perform these steps:

Download and run the rkill program.
http://download.bleepingcomputer.com/grinler/rkill.com

Then perform the MalWareBytes scan again and remove any identified issues

* If those registry entries keep coming back then you most likely do still have an active issue, though some processes of the infection may have been crippled by your earlier deletions of the actual program files.
m
0
l
April 17, 2010 1:17:03 AM

Not quite! I successfully deleted the keys that Malwarebytes' did not like. They did not come back.

The ones that keep recurring after deletion from the register as values are the AV7 entries. They were not discovered by Malwarebytes'. They were my original problem.

What Malwarebytes' found may have been a problem "Trojan.FakeAlert". It may even have been related to the AV7 problem, but I do not know that. I must admit that the AV7 problem did manifest itself in a fake alert that froze the browser and required me to go to task manager to come out of the browser.

In any case, I do not seem to be having any problems now - except for the annoying reappearances of AV7 in my registry. The fact that I cannot delete them is a worry.
m
0
l
April 19, 2010 3:03:56 PM

Sorry I am late in replying! I use AVG's free antivirus program. It has successfully protected me for several years. My problem now seems not to be a virus. The AVG program - free version - does not claim to protect against trojan horses, worms or other infections.
m
0
l
April 19, 2010 3:24:48 PM

PS: Tom, I notice that the AV7 value appears in the registry only under the "run" keys (in two places). The other values for "run" are all essential programs, it seems. I am thinking that once a value is entered under a "run" key, it cannot be removed by deletion because the system itself prevents its removal. The other possibility is that, as you wrote, the AV7 is still active but crippled in the system because its execution file has been deleted. AV7 remains in my register but like a "default" key: (value not set). I must simply remain watchful to see if any strange occurrences appear. Thanks!
m
0
l
April 19, 2010 5:13:31 PM

If the registry key is:
HKEY_Local Machine\Software\Microsoft\Windows\CurrentVersion\Run

Then you should be able to delete the entry. The only reason it would come back is if there is an active process (or a startup program) designed to put it back in.

When you delete the entry does it come back without you restarting the computer, or does it comeback only after you restart the computer?

m
0
l
!